terrible virus! need much help!

[billiusthemook]

ok, so i run morpheus and have all possible firewalls for my internet connection disabled.  *if it matters, i have a wireless network card connected to a belkin router*.  I have windows xp, don't have service pack 2, and do not have any anti-virus software as i have heard that the programs i have are already the best and they are free.  I do not download any porn, but here's what happened:

I was running microsoft word, and clicked on help.  I then searched for the keyword "landscape".(i don't think you guys care why)  Then all *censored* broke loose, at least in the eyes of any fundamentalist christian;

suddenly i heard moaning and the screen went black.  Next thing i know the one screensaver which goes through showing all the pics in the my pictures folder turns on, only all the pics are not mine, rather they are all of very hardcore homosexual things.  I panicked and started hitting ctrl+alt+delete, but didn't want to restart the computer because i was in the middle of a document i had been working on for a while and didn't want to lose it.  Eventually the screensaver turned off and i saw the windows media player on and a gay porn playing in it.  I turned it off and then saw that the desktop wallpaper had changed to a big gay picture.  I looked at the my computer and saw that it had changed the name of my c drive to gaysystem.  When i went on ie i saw it changed the homepage to a gay pic site, and at the top heading of the ie window it lists "-!!!GAYSEX IS GREAT!!! after any page heading i go to.  also, when i right clicked onthe desktop and brought up properties, the display tab was gone so i couldn't change the wallpaper.  I ran spybot, spydoctor, and adaware, not in that order.  after deleting all the files it found and restarting the computer for the ones it couldn't in the first place, the whole virus was still there.

I'm really desperate to get rid of this please help!

[dl65]

billiusthemook......I could go on a rant about why would anyone be online with "all firewalls disabled"  or even worse be using a P2P ......( which is just inviting major problems) ......and the worst crime of all being online with no ....I repeat no ANTI - VIRUS .......but I won't.
I would suggest the following......as you have no idea what you have.....is go to .... http://vil.nai.com/vil/stinger/   on a non infected pc and download stinger......it is a small app which you can put onto a floppy. Then isolate the infected pc from any inrternet connection and run stinger.......hopefully it will remove the intruder.......(note that stinger is not a anti virus ,but rather a removal tool) now once you have things under control....I would get rid of any P2P applications ...and install a good fully functional anti -virus program.....now you say "I have windows xp, don't have service pack 2, and do not have any anti-virus software as i have heard that the programs i have are already the best ."  what programs do you have that protects you without using a anti virus. Hopefully you havent tried to use the system restore feature in XP ....or you may have infected those files as well........but never mind you can always format and reinstall everything.
Good luck and let us know how you make out.

dl65  

[billiusthemook]

ok, did what you said and the stinger only picked up one thing which was apparently not related to my problem.  

what should i do now?  if you know, please tell me how to do it in really simple terms i'm new to stuff like uninstalling windows or crashing and remaking computers and such.  i just hope it doesn't have to come to that.

[dl65]

billiusthemook...what was it that stinger found and removed ?
Have you tried to manually change your homepage back to something else ... You should also click on tools / internet options......then change the home page address to what you want .....then click on Delete cookies , then click delete files , and then click delete history then click apply and ok .  Go to C: programs and see if there are any programs listed there which shouldnt be......if you see any remove them by going into control panel and using the Add/Remove programs.
Next I would reboot your pc and then open Internet explorer and see if your home page has changed or if its still set as you want it ........if not you should D/l and install a program called hijackthis..........available at....
http://www.majorgeeks.com/download3155.html  
Run the program and post the log it generates here for us to look at and we should be able to tell you which items to mark for removal. If the log generated is too large to post .......copy and paste it in in two posts.
Do you have any sort of a registry cleaning program?
let us know how you make out

dl65  

[billiusthemook]

Logfile of HijackThis v1.98.2
Scan saved at 4:01:55 AM, on 10/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\Billius Cello\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = !!! GAYSEX IS GREAT !!!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Update] msawindows.exe
O4 - HKLM\..\Run: [MSWinSrv32] C:\WINDOWS\System32\MSWinSrv32.exe
O4 - HKLM\..\Run: [WinMsrv32] WinMsrv32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Kazaa Download Accelerator Updater] regsvr32 /s C:\WINDOWS\System32\kdpupd.dll
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\DOCUME~1\BILLIU~1\LOCALS~1\Temp\helpctl.EXE] C:\DOCUME~1\BILLIU~1\LOCALS~1\Temp\helpctl.EXE
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\RunServices: [System Log Event] csrss32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msawindows.exe
O4 - HKLM\..\RunServices: [WinMsrv32] WinMsrv32.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunServices: [Winstart] C:\windows\winstart32.exe
O4 - HKCU\..\RunServices: [addip3232] C:\windows\system\addip3232.com
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

[billiusthemook]

please tell me which items i should get rid of from the list above

[dl65]

billiusthemook.....Good day.....I have just finished going through your log file.....and its completely full of spyware and bits and pieces of at least 3 viruses.....
I notice there is an entry in your running processes fpr AOL....... do you use AO *censored* ? if you do I wont have you remove it .......Do you use a hand held pda......because Im finding infected entries refering to it as well ......Give me the answers to these questions and I will publish what I think you should mark for removal..... The other thing is what page do you use as your homepage.

dl65  

[billiusthemook]

i do use aol and do not use a hand held pda and usually i use about:blank for my homepage, but with morpheus it changes it to startsearch or something like that.  


Don't worry, once this virus is out i plan on uninstalling morpheus as well as running all my anti-spy and adware programs AND i will definetely get a anti- virus program. {sidenote: what would you recommend for this?}.  and does using a firewall or anti-virus program slow down my games in any way, performance or ping etc?

[dl65]

billiusthemook....OK , here's what I would like you to do... Open Hijackthis......now click on config. Next ..make sure that boxes 2, 3 , 4 and 5 have check marks in them.
Next....in the 4 url boxes .....please enter http://www.msn.com ......Next click scan ...then click back.  Next ...click scan......

now you have your log ...... Now check the items I have listed in RED..... refer to the log above you posted

[billiusthemook]

well i did as you said and checked only the text you highlighted in red.  It's fixed.  Still got the virus though.

[dl65]

for some reason I am unable to change all the color to red

[billiusthemook]

forgot to mention that although you listed a chunk of the above log, i only checked one; the one you highlighted red.  i'm posting this because i looked at the last post and saw the list you had on before disappeared.

[billiusthemook]

sorry bout that, guess we were posting at the same time... so which ones should i check in hijackthis?

[dl65]

open your hijack log and mark for fix   the following....
all RO , R1 and R3 .

02    BHO ( no name )
03    Toolbar no name
04    HKLM  [nwiz]
the next 3 .....04 entries
04   HKLM [TBPS]
04   HKLM [Quicktime task]
04   HKLM [docume~ 04   HKLM [system log event ]
04   HKLM [microsoft update[ 04   HKLM [ winstart]
04   HKLM [ addip3232]
04   startup...powerReg v3
04   startup ..powerReg scheduler.exe
 

[dl65]

billiusthemook...sorry about giving it to you this way .....
When you have removed all the items try and go to
http://www.symantec.com/index.html
scroll down the page a bit until you see downloads ...then choose security check ....when that page opens choose virus scan and let it run

when its finished record wht it finds if anything and then post it


dl65